CS 6110 S18 Lecture 17 Predicate Transformers

1 Relative Completeness

In the last lecture, we discussed the issue of completeness—i.e., whether it is possible to derive every valid partial correctness specification using the and rules of Hoare . Unfortunately, if treated as a pure deductive system, cannot be complete. To see why, consider the following partial correctness specifications: {true} skip {P }{true} c {false} The first is valid if and only if the assertion P is valid while the second is valid if and only if the command c does not halt.

It turns out that the culprit is the weakening rule, which includes premises involving the validity of implica- tions between the assertions involved: ϕ ⇒ ϕ0 {ϕ0}c{ψ0} ψ0 ⇒ ψ (weakening) . {ϕ}c{ψ}

Although we cannot have a complete proof system for first-order formulas, Hoare logic does enjoy the property stated in the following theorem: Theorem 1.

∀ϕ, ψ, c.  {ϕ} c {ψ} implies ` {ϕ} c {ψ}.

This result, due to Cook (1974), is known as the relative completeness of Hoare logic. It says that Hoare logic is no more incomplete than the language of assertions—i.e., if we had an oracle that could decide the validity of assertions, then we could decide the validity of partial correctness specifications.

2 Weakest Preconditions

Given a program s and a postcondition ϕ, the weakest property of the input state that guarantees that s halts in a state satisfying ϕ, if it exists, is called the weakest precondition of s and ϕ and is denoted wp s ϕ. This says that

• wp s ϕ implies that s terminates in a state satisfying ϕ (wp s ϕ is a precondition of s and ϕ), • if ψ is any other condition that implies that s terminates in a state satisfying ϕ, then ψ ⇒ wp s ϕ (wp s ϕ is the weakest precondition of s and ϕ).

As in the λ-calculus, juxtaposition represents function application, so wp can be viewed as a higher-order function that takes a program s and a postcondition ϕ and returns the weakest precondition of s and ϕ. The function wp can also be viewed as taking a program and returning a function that maps postconditions to preconditions. For this reason, axiomatic is sometimes known as predicate transformer semantics.

3 Weakest Liberal Preconditions

Cook’s proof of relative completeness depends on the notion of weakest liberal preconditions. Given a com- mand c and a postcondition ψ the weakest liberal precondition is the weakest assertion ϕ such that {ϕ} c {ψ}

1 is a valid triple. Here, “weakest” means that any other valid precondition implies ϕ. That is, ϕ most accurately describes input states for which c either does not terminate or ends up in a state satisfying ψ.

Formally, an assertion ϕ is a weakest liberal precondition of c and ψ if:

∀σ, I. σ I ϕ ⇐⇒ (C c σ) undefined ∨ (C c σ) I ψ J K J K We write wlp(c, ψ) for the weakest liberal precondition of command c and postcondition ψ. From left-to-right, the formula above states that wlp(c, ψ) is a valid precondition:  {ϕ} c {ψ}. The right-to-left implication says it is the weakest valid precondition: if another assertion R satisfies  {R} c {ψ}, then R implies ϕ. It can be shown that weakest liberal preconditions are unique modulo equivalence.

We can calculate the weakest liberal precondition of a command as follows:

wlp(skip, ϕ) = ϕ wlp((x := a, ϕ) = ϕ[a/x] wlp((c1; c2), ϕ) = wlp(c1, wlp(c2, ϕ)) wlp(if b then c1 else c2, ϕ) = (b =⇒ wlp(c1, ϕ)) ∧ (¬b =⇒ wlp(c2, ϕ))

The definition of wlp(whilebdoc, ϕ) is slightly more complicated—it encodes the weakest liberal precondition for each iteration of the loop. To give the intuition, first define the weakest liberal precondition for a loop that termintes in i steps as follows:

F0(ϕ) = true Fi+1(ϕ) = (¬b =⇒ ϕ) ∧ (b =⇒ wlp(c, Fi(ϕ)))

We can then express the weakest liberal precondition using an infinitary conjunction: ^ wlp(while b do c, ϕ) = Fi(ϕ) i See Winskel Chapter 7 for the details of how to encode the weakest liberal precondition for a while loop as an ordinary assertion.

To check that our definition is correct, we can prove (how?) that it yields a valid partial correctness specification: Lemma 2.

∀c, ψ.  {wlp(c, ψ)} c {ψ} and ∀ρ.  {ρ} c {ψ} implies (ρ =⇒ wlp(c, ψ))

It is not hard to prove that it also yields a provable specification:

Lemma 3. ∀c, ψ. ` {wlp(c, ψ)} c {ψ}

Relative completeness follows by a simple argument:

Proof Sketch. Let c be a command and let P and ψ be assertions such that the partial correctness specification {P } c {ψ} is valid. By Lemma 2 we have  P =⇒ wlp(c, ψ). By Lemma 3 we have ` {wlp(c, ψ)} c {ψ}. We conclude ` {P } c {ψ} using weakening.

2